Announcement: You can find the guides for Commerce 7.5 and later on the new Elastic Path Documentation site. The Developer Center continues to support Commerce 6.13.0 through 7.4.1.Visit new site

Spring Security Filters

Spring Security Filters

Spring Security uses request filters to perform various security tasks. Request filters are XML elements in the Spring Security security.xml file, which is located in <Web App Source>/WEB-INF/conf/spring/security. Filters use the <intercept-url> element to define how Elastic Path Commerce handles certain URL patterns. For example:

<intercept-url pattern="/update-password.ep*" access="ROLE_CUSTOMER" requires-channel="https" />

In the filter above, anything matching URL pattern "/update-password.ep*" is directed to an HTTPS channel and requires the user to be logged in as "ROLE_CUSTOMER". Validation of the customer's role is performed by the authentication-manager in the security.xml. See Spring Security Authentication Manager for information on the authentication-manager. For more information on Spring Security, see http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity-single.html

Elastic Path Commerce uses the following pre-configured filters in the Store Front's Spring Security security.xml file:

            storefront/ep-storefront/src/main/resources/spring/security/security.xml
	
  <http>
    <intercept-url pattern="/*-account.ep*" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/manage-account.ep*" access="ROLE_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/edit-account.ep*" access="ROLE_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/create-address.ep*" access="ROLE_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/*-address.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/*-credit-card*.ep*" access="ROLE_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/order-details.ep*" access="ROLE_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/checkout.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/check-out.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/delivery-options.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/billing-and-review.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/receipt.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/update-password.ep*" access="ROLE_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/*password*.ep*" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/update-email.ep*" access="ROLE_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/address-preference.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/print-receipt.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/sec-asset.ep*" access="ROLE_CUSTOMER,ROLE_ANONYMOUS_CUSTOMER" requires-channel="${ep.sf.secure.channel}" />

    <intercept-url pattern="/*sign-in.ep*" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/*signin.ep*" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/payer-authentication-return.ep*" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/search-gift-certificate.ep" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/check-gift-cert-balance.ep" requires-channel="${ep.sf.secure.channel}" />
    <intercept-url pattern="/j_acegi_security_check.ep" requires-channel="${ep.sf.secure.channel}" />

    <intercept-url pattern="/*.ep" requires-channel="http"  />
    <intercept-url pattern="/*.ep\?*" requires-channel="http" />
    <intercept-url pattern="/*.html" requires-channel="http" />
    <intercept-url pattern="/*.html\?*" requires-channel="http" />

         

Elastic Path Commerce uses the following pre-configured filters in the Commerce Manager Client's Spring Security security.xml file:

<intercept-url pattern="/assetImageController.remote*" access="ROLE_ANONYMOUS" requires-channel="${ep.cm.secure.channel}" />
<intercept-url pattern="/*remote" access="ROLE_SUPERUSER,ROLE_CMUSER" requires-channel="${ep.cm.secure.channel}" />
<intercept-url pattern="/*" requires-channel="${ep.cm.secure.channel}" />